The State of Software Diversity in the Software Supply Chain of Ethereum Clients

Abstract: The software supply chain constitutes all the resources needed to produce a software product. A large part of this is the use of open-source software packages.Although the use of open-source software makes it easier for vast numbers of developers to create new products, they all become susceptible to the same bugs or malicious code introduced in components outside of their control.Ethereum is a vast open-source blockchain network that aims to replace several functionalities provided by centralized institutions.Several software clients are independently developed in different programming languages to maintain the stability and security of this decentralized model.In this report, the software supply chains of the most popular Ethereum clients are cataloged and analyzed.The dependency graphs of Ethereum clients developed in Go, Rust, and Java, are studied. These client are Geth, Prysm, OpenEthereum, Lighthouse, Besu, and Teku.To do so, their dependency graphs are transformed into a unified format.Quantitative metrics are used to depict the software supply chain of the blockchain.The results show a clear difference in the size of the software supply chain required for the execution layer and consensus layer of Ethereum.Varying degrees of software diversity are present in the studied ecosystem. For the Go clients, 97% of Geth dependencies also in the supply chain of Prysm.The Java clients Besu and Teku share 69% and 60% of their dependencies respectively.The Rust clients showing a much more notable amount of diversity, with only 43% and 35% of OpenEthereum and Lighthouse respective dependencies being shared.